The following instructions assume that you want to save your configs, certs and keys in '''/etc/openvpn/keys'''.<BR>

The following instructions assume that you want to save your configs, certs and keys in '''/etc/openvpn/keys'''.<BR>

Start by moving to the '''/usr/share/openvpn/easy-rsa''' folder to execute commands

Start by moving to the '''/usr/share/openvpn/easy-rsa''' folder to execute commands

−

{{Cmd|apk add openvpn-easy-rsa

+

{{Cmd|apk add easy-rsa # from the community repo

−

cd /usr/share/doc/openvpn/easy-rsa}}

+

cd /usr/share/easy-rsa}}

−

If not already done then create a folder where you will save your certificates and save a copy of your '''/usr/share/openvpn/easy-rsa/vars''' for later use.<BR>

+

If not already done then create a folder where you will save your certificates and save a copy of your '''/usr/share/easy-rsa/vars''' for later use.<BR>

−

(''All files in '''/usr/share/openvpn/easy-rsa''' are overwritten when the computer is restarted'')

{{Cmd|mkdir /etc/openvpn/keys

{{Cmd|mkdir /etc/openvpn/keys

cp ./vars /etc/openvpn/keys}}

cp ./vars /etc/openvpn/keys}}

Revision as of 22:45, 31 December 2015

This article describes how to set up an OpenVPN server with the Alpine Linux.
This is an ideal solution for allowing single users or devices to remotely connect to your network. To establish connectivity with a Remote Office or site, Racoon/Opennhrp would provide better functionality.

It is recommended that you have a publicly routable static IP address in order for this to work. This means that your IP address cannot be in the private IP address ranges described here: WikiPedia

If your Internet-connected machine doesn't have a static IP address, DynDNS can be used for resolving DNS names to IP addresses.

Setup Alpine

Initial Setup

Install programs

Install openvpn

apk add openvpn

Prepare autostart of OpenVPN

rc-update add openvpn default

modprobe tun
echo "tun" >>/etc/modules

Certificates

One of the first things that needs to be done is to make sure that you have secure keys to work with. Alpine makes this easy by having a web interface to manage the certificates. Documentation for it can be found here: Generating_SSL_certs_with_ACF. It is a best practice not to have your certificate server be on the same machine as the router being used for remote connectivity.

You will need to create a server (ssl_server_cert) certificate for the server and one client (ssl_client_cert) for each client. To use the certificates, you should download the .pfx file and extract it.

To extract the three parts of each .pfx file, use the following commands:

To get the ca cert out...

openssl pkcs12 -in PFXFILE -cacerts -nokeys -out ca.pem

To get the cert file out...

openssl pkcs12 -in PFXFILE -nokeys -clcerts -out cert.pem

To get the private key file out. Make sure this stays private.

openssl pkcs12 -in PFXFILE -nocerts -nodes -out key.pem

On the VPN server, you can also install the acf-openvpn package, which contains a web page to automatically upload and extract the server certificate. There is also a button to automatically generate the Diffie Hellman parameters.

Set up a 'OpenVPN Server'

Set up a 'OpenVPN Client'

Create client certificates

./build-key <commonname>

Revoke a certificate

To revoke a certificate

./revoke-full <commonname>

The revoke-full script will generate a CRL (certificate revocation list) file called crl.pem in the keys subdirectory.The file should be copied to a directory where the OpenVPN server can access it, then CRL verification should be enabled in the server configuration: